vol 8, issue 3

Point-of-sale cyber security: hacking the check-out

11 March 2013
By Aasha Bodhani
Share |
A sale being made at a supermarket checkout

Point-of-sale becomes point-of-concern as cybercriminals target the credit card details that POS technology processes

A sale being made at a supermarket self-service checkout

Advances in point-of-sale checkout technology can also introduce ICT security issues

Barnes & Noble store front

US bookstore chain Barnes & Noble was attacked in 2012, with personal information lifted from its POS systems

Barnaby Jack on stage with an ATM

Barnaby Jack demonstrated live the ‘ease’ of hacking into an ATM at the Black Hat Conference in Las Vegas

As point-of-sale systems embrace mainstream software, they will have to deal with the security threats that come with it. After all, what cybercriminal wouldn't go after Windows-based devices handling credit and debit cards?

It is a simple fact of economics that consumers and retailers perpetually encourage one another towards ever greater convenience. And with greater convenience comes greater connectivity between devices running common computing operating systems. And such obliging levels of connectivity provide convenience not just for consumers but for cybercriminals too.

Connected point-of-sale (POS) systems – that's the checkout to you and me – are the most recent targets of the cybercriminal, and a specially-crafted malware, dubbed Dexter, is further indication that now all kinds of connected devices may be vulnerable to attack.

Checkout technology has been getting steadily more intelligent over the last decade, and if checkout systems are starting to look more like standard personal computers than electronic cash registers, it's because they are increasingly adopting much of the same technology.

Potential hauls for successful cybercriminals provide plenty of incentive to target POS. The amount reportedly stolen from sandwich franchise Subway's POS systems by four Romanian hackers between 2008 and 2011 was $3m. The hackers compromised the credit cards, debit cards, and gift cards of more than 80,000 Subway customers across 150 US-based restaurants, as well as 50 other unnamed retailers, using 'sniffing' software to make unauthorised charges. Cezar Butu of Ploiesti, Romania, was sentenced to 21 months in prison in January 2013 for the Subway theft. The remaining three suspects are still awaiting trial.

"Retail cybercrime is the crime of the future," says Dave Marcus, director of security and communications at security software firm McAfee. "Instead of coming in with guns and robbing the till, criminals can target businesses, root them from across the planet, and steal digitally."

Digital crime opportunities have certainly increased as businesses adopt more 'omni-retailing' methods, such as conventional e-commerce (or 'etailing'), social media, and taking payments through smart devices.

Of course, conventional online and mobile payment fraud are still a problems, for instance, Sony's infamous PlayStation Network hack (see 'Sony Security Laid Bare', http://bit.ly/eandt-sony-security), and more recently online US-based shoe store Zappos was hacked in January 2013, exposing personal information and credit card numbers of its 24 million customers. This means that mainstream retailers could soon find themselves caught in a pincer movement, attacked both online and on the high street.

Bank card cloning

Attacks on POS systems based on standard computer operating-systems are bound to increase as long as that software is targeted; even encryption does not deter criminals from having a try. In 2009 the Westin Bonaventure Hotel & Suites in Los Angeles experienced a data breach when their POS systems were illegally accessed during April and December. The hackers were able to obtain the names and bank card details of checked-in guests.

Another retail sector incident occurred in September 2012 when 63 Barnes & Noble bookstores in the US were breached, including branches in New York City, Miami, Chicago, and Florida. The breach was detected during a maintenance inspection of its in-store POS systems. It discovered that customer bank card information was the main target; the cards were cloned when customers swiped them cards through the PIN terminal.

Information security management firm Trustwave revealed from its 2013 Trustwave Global Security Report that the retail industry is now the top target for cybercriminals. The data was collected by Trustwave's security experts and taken from 450 global data-breach investigations, 2,500 penetration tests, nine million Web application attacks, two million network and vulnerability scans, five million malicious websites and 20 billion emails from multi-national corporations, merchants and government entities. From this, the retail industry made up 45 per cent of Trustwave's data-breach investigations, which was a 15'per cent increase from 2011.

POS systems have been undergoing a makeover over the past several years, as hardware-wired, all-in-one systems are gradually replaced by wireless and touchscreen POS systems. Supermarkets are upgrading their traditional electronic cash registers to self-service touchscreen POS systems; in 2011 supermarket chain Tesco installed technology company NCR's SelfServ Checkout in stores across central and eastern Europe, enabling customers to scan, bag and pay for goods themselves.

Product retailers are not the only businesses to use standard POS systems: restaurants, hotels, visitor attractions, and recreational establishments like cinemas, theatres, and fitness centres, for instance, all use integrated systems that process credit- and debit-card transactions.

Generic POS technology is also advancing. According to market analyst TechNavio, the Global Point-of-Sale software market will reach $3.2bn in 2014, driven by near-field communication technology and contactless payments.

'Mysterious' Dexter

Just before the 2012 festive period, a new piece of malware surfaced and was found in hundreds of POS systems in hotels, restaurants, retailers and private parking providers. The malware was discovered by Israel-based security firm Seculert: 'Dexter' (which comes from the string 'BKDR_DEXTR.A') is a data-theft tool used to target and attack POS systems. The program, which is Microsoft Windows-based, uses common techniques to search the memory of running processes to identify credit-card track data, but with the uniqueness of the attacker having full control.

Seculert CTO and co-founder Aviv Raff explains that while the company is as yet uncertain as to who is behind Dexter, the author is fluent in English: Dexter mainly targeted English-speaking countries. The malware was located in 40 different countries, but notably 42 per cent of POS systems targeted were in North America and 19 per cent UK-based. "Instead of going through the trouble of infecting tens of thousands of consumer PCs or physically installing a skimmer, an attacker can achieve the same results by targeting just a few POS systems with specially crafted malware," Raff says.

The malware injects itself into the iexplore.exe file in Windows servers, through rewriting in the registry key. It then' pinches sensitive credit-card data from the server, before transferring it through a remote command and control system. Windows-based POS systems are used increasingly in the industry, and according to Seculert's findings, 51 per cent of targeted POS systems use the outdated Windows XP. The high percentage indicates Windows-based machines that process unencrypted track data are viable targets.

Microsoft Windows XP may be the 'preferred' choice for POS systems, especially among smaller retailers who feel that they cannot afford to upgrade, but with the operating system to be discontinued in 2014, the question is over what support will be offered for remaining XP users and if they will be able to handle the upgrade to Windows 7 or 8.

"Dexter only has three purposes in life," says Trustwave's security researcher Josh Grunzweig. "To always be running on the victims' machine, to find any card, or track, data in any running program on the victim, and to communicate with the attacker who is controlling it."

The latter is what makes the malware stand out and impresses Grunzweig. "I can't remember the last time I saw a piece of malware that targeted POS systems that had a nice command and control structure to it," adds Grunzweig.

He explains the hacker maintains control of the attack by using normal communication methods, but with the skill to hide what it was sending by encoding the data. This involved sending out a message to the attacker, by default, every five minutes and also checks the victim to see if there is any track data running every 60 seconds.

The magnetic strip on a credit card contains three tracks and the malware attempts to extract data from memory relating to tracks one and two, containing numeric or alphanumeric data that can be used to clone the card that was used in a transaction. If Dexter finds any of this track data, it alerts the attacker in the next message sent and the process is repeated. The attacker has the control to change the times and install additional malware or even remove Dexter altogether.

"The most unusual thing about Dexter is the small amount of public attention it has received," says Trustwave's Josh Grunzweig. "The issues that make POS-specific malware difficult to discuss in the industry also affects the ability of antivirus companies; without samples they are unable to provide detailed protections for specific threats."

POS protection

According to Grunzweig, there are several layers businesses need to address to prevent POS malware attacks. The most common attack is through weak remote administration or virtual private network authentications, which are mitigated through classic technical and policy controls, such as maintaining updates, network isolation of payment systems, strong authentication mechanisms

Small businesses are often targeted and known for their perceived lack of security awareness and implementation of IT security technology. "When a POS system is infected with this class of malware, merchants must act quickly to identify how they were compromised, and how badly, and then correct the immediate issues of the attack, and ensure that they have locked down the rest of their infrastructure from additional attacks," adds Grunzweig.

Since the public statement of Dexter, there has been relatively little further coverage on which businesses have fallen victim, and on who is responsible for the attack – so the full extent of the malware's damage has yet to be revealed.

"Some countries do mandate that customers get informed within days after a breach has been discovered, therefore there is not much a business can do but follow the law," explains researcher Vincent Hanna from the anti-spam protection company Spamhaus Project, "but it is possible that in cases where such rules do not exist internal (legal, security) or external (insurance companies) forces may interfere with making things public."

Further information

Share |

How's it done?

A conventional ATM (automated teller machine) is a computerised telecommunication device enabling users to make financial transactions in a public space using a 'secure' PIN and without the need for human assistance. With the migration to PC hardware, these types of POS systems use typical operating systems and programming tools, such as Microsoft operating systems (including Windows 2000, Windows XP, Java, Linux, Unix, and even PC-DOS).

The days of burglars towing ATM machines away or spying on ATM users have mostly passed; instead cyber criminals are becoming more sophisticated in their attacks by cloning card data and stealing PIN numbers. At the 2010 Black Hat computer conference in Las Vegas, IOActive's director of security research, Barnaby Jack, not only hacked into an ATM machine, but famously made it eject money too. Jack demonstrated two attacks on two ATMs, manufactured by Triton and Tranax, which both run on Windows CE and are typically installed in retail outlets and restaurants.

The first attack saw Jack reprogramming an ATM remotely over a network, without physically interfering with the machine. For the second attack, he inserted a USB stick loaded with malware into the Triton ATM machine. Jack revealed 95 per cent of retail ATMs are on dial-up connections and for this reason, it is easy to conduct a remote hack as an attacker would only need to know an ATM's IP address or phone number. To begin the Tranax hack, Jack used a remote attack tool, named 'Dillinger' which was capable of exploiting the authentication-bypass weakness in Tranax's remote monitoring feature, and upload software or reprogram the firmware on the system.

With this control, Jack installed a malicious program he wrote called 'Scrooge', which lurked on the ATM discreetly in the background until the ATM is disturbed by users entering their card and PIN. This activated a hidden menu, and Jack instructed the machine to eject money, the screen flashed 'Jackpot!' as the money came out. Scrooge is also claimed to be capable of stealing magnetic stripe data and print receipts.

The Triton attack was physically hacked into as Jack opened the machine using a generic key available on the Internet, and connected a UBS stick containing malware. This attack may have been prevented with better locks, but it highlights the ease of breaking and entering.

A decade of retail cyber attacks

2005-06 – International retailer and ASDA owner Wal-Mart among the earliest victims, when hackers stole the source code for its POS software from the firm's development team.

2005-07 – TJX exposed millions of customers' card details when cybercriminals broke into its network using combination of attacks, including replacing POS terminals when staff weren't looking.

2006 – The Scotsman newspaper reported that MasterCard was investigating the theft of up to 2,000 customer card details from a store belonging to an unidentified UK-based retailer.

2006-09 – Seven US restaurants in Louisiana and Mississippi sued POS system suppliers Radiant Networks and Computer World after its 'Aloha' terminals were hacked because they were not PCI-DSS compliant.

2007-08 – US supermarket chain Hannaford Brothers found hackers had installed malware on the in-store Linux servers at almost 300 stores via customer facing POS systems which collected and transmitted transaction details to an overseas ISP.

2008 – POS system supplier Heartland Payment Systems admitted hackers had used a combination of keystroke logging and 'sniffer' malware to steal details from its network of up to 250,000 US customers.

2011 – US restaurant chain Penn Station affected by a breach which affected 91 of its outlets, which was suspected to involve remote access to Internet connected POS terminals.

2011 – Up to 94,000 bank cards compromised after customers visited craft shops belonging to Michael's, with POS and PIN-entry devices at 84 US locations found to have been tampered with. 

2012 – SophosLabs discovered a strain of the Citadel Trojan which had been altered to target Canadian financial institutions processing payments from POS devices through screen captures, form-field grabbing, keystroke log.

2012-13 – Zaxby's saw POS terminals at 108 of its US restaurants hit by malware designed to collect/transmit credit and debit card information spread via the company's network.

Related forum discussions
forum comment To start a discussion topic about this article, please log in or register.    

Latest Issue

E&T cover image 1407

"Even the smallest of creatures in the most far-flung places around the world are getting wired up for tracking"

E&T jobs

E&T Marketplace

The essential source of engineering products and suppliers.

E&T podcast

Tune into our latest podcast

iTunes logo

Subscribe

Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T